Thursday, May 9, 2013

One Of The Most Important Tools In Linux – Understanding Chmod

There are plenty of features that make Linux special, but one of them
that makes it so secure is its permissions system. You can have
fine-grain control over all the files in your system and assign
permissions to users, groups, and everyone else. The terminal utility
“chmod” helps you control all the permissions on your system, so it’s
vital to know how chmod works in order to get the most use out of this
feature, especially if you’re planning on building your own Linux server.
There’s plenty of information that you’ll need to know in order to
understand the mechanics of the permissions system and control it as you
please, so get ready to take some notes. Additionally, for starters,
it’s best to take a look at 40 terminal commands that you should be familiar with before diving in.

Components Of Permissions

The Linux permissions system is configured in such a way that you can
assign file and directory permissions to three different categories –
the user, the group, and everyone else. Each file or directory is owned
by a user and group, and these fields cannot be empty. If only the user
should own the file, then the group name is often the same as the
username of the owner.
You can assign specific permissions to the owner, different
permissions to the group, and even other permissions to every other
user. The different permissions which you can assign to any of these
three categories are:

The numbers 4, 2, and 1 as well as the letters r, w, and x are
different ways in which you can assign permissions to a category. I’ll
get to why these numbers and letters important later on.
Permissions are important because, as you might assume, they allow
certain people to do certain things with the file. Read permissions
allow the person or group to read the contents of the file, and copy it
if they wish. Write permissions allows the person or group to write new
information into the file, or overwrite it completely. In some cases
this can also control who is allowed to delete the file; otherwise a
sticky bit must be used that won’t be covered here. Finally, execute
permissions allow the person or group to run the file as an executable,
whether it’s a binary file, an .sh file, or anything else.

Understanding Assigned Permissions

Let’s go in your terminal to any folder on your system – say your Home folder. Go ahead and type in the command ls -l and hit enter. This command lists out all of the files and directories found in whatever folder you’re currently in.
Each line represents a file or directory, and it begins with something that might look like -rw-rw-r–.
This shows you the permissions of the file or directory. In this case,
the first dash shows us that you’re looking at a file. If it were a
directory, there would be a “d” in this spot. The next three spots, rw-,
shows us that the user who owns the file has read and write permissions
(rw), but no executable permissions as there’s a dash instead of an
“x”. The same is repeated for the next three spots, which represents the
permissions of the group that owns the file.
Finally, the last three spots are r–, which means that everybody else can only read the file. As a reference, the possible permissions are drwxrwxrwx. It’s also important to note the “dmaxel dmaxel”
that you see after the permissions. This shows that the user owner of
the file is dmaxel and the group owner is dmaxel. For files that really
are only supposed to belong to one user, this is default behavior, but
if you’re sharing with a group that has multiple members, then you’ll be
able to see that.

Assigning New Permissions

Remember the numbers and letters I mentioned earlier? Here’s where you’ll need them. Let’s say you have a file called “important_stuff” that’s located at the path /shared/Team1/important_stuff.
As the team leader, you’ll want to be able to read and write to the
file, your group members should only be allowed to read the file, and
everyone else shouldn’t have any permissions at all.
In order to make sure that you and your group own the file, you’ll need to run the command chown. An appropriate command for this situation would be chown me:Team1 /shared/Team1/important_stuff. That command runs chown, and tells it that the file at path /shared/Team1/important_stuff should belong to the user “me” and the group “Team1″.
It’s assumed that the desired group has been created and that members
have the group added as a secondary group in the system (also not
covered here). Now that you have set the owner and group, you can set
the permissions. Here, you can use the command chmod 640 /shared/Team1/important_stuff. This starts chmod, and assigns the permissions 640 to the file at path /shared/Team1/important_stuff.
Where did 640 come from? You look at the numbers represented by the
different commands – for read and write permissions, you have 4 + 2 = 6.
The 6 represents the permissions for the user. The 4 comes from just
the read permissions for the group, and the 0 comes from no permissions
for everyone else. Therefore, you have 640. The number system is very
good because you can have a number for all possible combinations: none
(0), x (1), w (2), r (4), rx (5), rw (6), and rwx (7).
As an example, full permissions for everyone would be 777. However,
if you have security in mind, its best to assign only the permissions
that you absolutely need – 777 should be used rarely, if at all.

Alternative Method

While I prefer the number method of assigning permissions, you can
increase your flexibility and also add or remove permissions using the
representative letters. For the above situation, the command used could
also be chmod u=rw,g=r,o= /shared/Team1/important_stuff.
Here, u=rw assigns read and write permissions to the user, g=r assigns
read permissions to the group, and o= assigns no permissions to everyone
else. There’s also ‘a’ which can assign the same permissions for all
categories.
You can also combine different combinations for varying permissions,
as well as + or – signs instead of =, which would simply add or remove
permissions if they haven’t already been added/removed instead of
completely overwriting the permissions that you’re changing.
So, different examples can include:

chmod a+x /shared/Team1/important_stuff assigns execute permissions to everyone if they don’t have it already

chmod ug=rw o-w /shared/Team1/important_stuff forces
the user and group to just have read and write permissions, and takes
away writing permissions for everyone else in case they had it.

Applying Permissions To Multiple Files

Additionally, you can add the -R flag to the command in order to
recursively apply the same permissions to multiple files and directories
within a directory. If you wanted to change the permissions of the
Team1 folder and all files and folders within, you can run the command chmod 640 -R /shared/Team1.
Applying the same permissions to multiple, but individually picked files can be done with a command such as chmod 640 /shared/Team1/important_stuff /shared/Team1/presentation.odp.

Conclusion

Hopefully, these tips have helped you improve your knowledge of the
permissions system found in Linux. Security is an important matter to
consider, especially on mission-critical machines, and using chmod is
one of the best ways to keep security tight. While this is a fairly
in-depth look at using chmod, there’s still a bit more that you can do
with it, and there are plenty of other utilities that complement chmod.
If you need a place to start, I would suggest doing more research on all
of the things you can do with chown.
If you’re just getting started with Linux, have a look at our Getting Started Guide to Linux.
Are file permissions important for you? What permissions tips do you have for others? Let us know in the comments!